Last week saw the news of another Supply Chain Attack, one involving the software company that supplies a program called CCleaner (or Crap Cleaner).

"A supply chain is a system of activities involved in handling, distributing, manufacturing and processing goods in order to move resources from a vendor into the hands of the final consumer".

A supply chain attack is where cyber-criminals attempt to compromise the product or services, usually at the less secure areas of the process. What happened in the CCleaner attack is that hackers managed to install a backdoor which was then available on the CCleaners website and would install to unsuspecting users as part of the installer process.

In this instance the type of information obtained was limited to :-

Name of the computer

It's IP Address

Installed Software

Running Processes​

However, the type of information could have been much worse for the end user had the hackers designed the payload differently.

​Our advice would be that this type of successful attack is a rare occurrence, and generally you are much better off keeping your system updated (patched) than not.

Yahoo we've got your passwordWell, where to start. I think one of the most memorable hacks of 2016, was the Yahoo hack(s). Yes hacks, well actually the data breaches (or hacks) occurred a couple of years early, but Yahoo thought it was better not to tell it's users until 2016. Initially Yahoo reported that only a mere 500 million accounts were breached, but then later in the year they increased the figure, as they admitted to another billion user accounts data being breached.Keeping quiet on a data breach, is never a good PR Strategy. I would suggest that these latest breaches have not served to instil trust and credibility with the Yahoo brand.

Democratic National Committee (DNC) HackThis was a big one as it may well have had a real effect on the outcome of the USA Presidential Elections, with many scandals erupting on the run up to the vote, and more yet to come. The rumours are still rumbling around this, and potential ‘threat actor’ interventions from the intial hacking group to links of Russias involvement.

The SWIFT HackThe hack which had the potential to take down a large part of the internal banking system. The attack was a malware (malicious software) based attack which spread across the internal banking communications network, the full ramifications of this hack are not yet published, however, the initial hackers gained $81million.

DDoS Attack on DynDyn is a company that converts Internet Protocol Addresses into text based website addresses. So for example, it can turn 172.217.0.163 into www.google.co.uk. Well hackers used a ‘Botnet’ (called Marai Malware), taking over millions of internet connected devices (including IP Cameras, modems) to attack the Dyn sites servers and cause a denial of services (DDos, Distributed Denial Of Service). Meaning that thousands of websites who use Dyns services could not be reached, including the likes of Facebook, Netflix and Twitter.

Alternative Targets2016 has shown a whole range of devices that have been or have the potential to be hacked, from drones, medical equipment and cars. As the growth of internet connected things increases at a massive rate the scale and depth of these types of attacks is sure to increase.

RansomwareWell 2016 has seen a surge in this type of hacker activity. This is where the ‘victim’ downloads and executes some form of malware (there are many different variants out there, Locky being one in particular). The malware then encrypts all the data on the victims drive and can even encrypt folders on the network. The victim would then be shown instructions on how to pay to get the decryption ‘key’ to get the data back. As I have previously reported, paying the hackers will only fuel the amount and type of ransomware out there, so our advice is to :-

Don’t click on links you do not trust.

If you click on a photo or other file to view and it tries to download it, cancel it.

Back up your data on a removal device.

There are many more hacks that I have covered over the last 12 months, check out @bluwasp on Twitter or see the Blog posts below for more details. @bluwasp also on instagram (@bluwasp.co.uk)

I know it's November, but I have already been thinking about Christmas. Well it's more about certain high street shops and their Christmas advertising campaigns, and how powerful I think these are and how this concept can be used to assist with Cyber Security awareness.

Remember one of last years TV adverts "The Man on the Moon"? If you can, that's the power of story telling, do you still get that sad feeling with the old man sat on a bench. Well what's that got to do with Information Security or Cyber Security? Good story telling is one way that we as security professionals can help to ensure that the message hits home.

​So how can we use story telling to get information security across to all employees?

Two Types of Business

​If it get's measured - it gets done.

Stats are useful, as long as they are meaningful, did you know it takes on average 90 days until organisations realize that they have been hacked (sometimes businesses don't even know). That's 3 months, can you imagine what damage could be done with that information in that time.

Did you know that "Every 3 Seconds another business website is affected with Malware"?

Sometimes we give people stats, which are of no use to those receiving the information, and does not help in them recounting the story to others.

​

Therefore it is really important you plan for your response and recovery now, and not wait until a data breach or attack occurs.

Large Whales

It starts at the top!The first line of defense is ensuring that the Board are aware of the Cyber Security risks. CEO's are increasingly being targeted by 'harpooning' attacks. (Here I go using jargon again).

Many Private Sector Boards seem to understand the consequences of cyber security breaches, however, Public Sector Boards seems to be slow out of the blocks. The 'Whales', are high profile CEO's, active on social media, lots of personal information out there, plus they are also the ones who usually like to have the newest and best technology. These are perceived easy targets for Social Engineering attacks (using 'Phishing Techniques', but if successful the catch).

I would say that this is the biggest risk factor that organisation in today's worlds. There is a need to have senior executive level responsibility, with Information Security being a standing item on the board agenda. It sends a message to the whole organisation of the importance of Cyber Security is.

It is not just about cyber security its about the whole area of Information Security, including People and the organisations Buildings and assets.

Communication is key. It is imperative that the more technically minded talk in a way that the non-technical will understand, otherwise Risk may be ignored.

Risk Management Process

Information Security is part of running costs

On average approximately £40k is spent on fixing the issue. The real costs however are much, much, more. How do you put a cost to the damage of your businesses reputation?

Remember Gerald Ratner's famous speech? He uttered the words, "We also do cut-glass sherry decanters complete with six glasses on a silver-plated tray that your butler can serve you drinks on, all for £4.95. People say, "How can you sell this for such a low price?", I say, "because it's total crap." That was all it took to see a total loss in reputation and profits for the business.

These days, having a data breach, and having your customer details taken is a real life risk. However, it is also about your response to the attack.

Your staff can be your weakest link.

Far too often hackers use Social Engineering (about behaviors) to carry out an attack. Employees need simple and practical advice for what they need to do and why they need to do it. ​Rather than the usual annual 'e learning', better to use face to face interactions, simulations or even games.​What would happen to an employee in your organisation if they came forward and said they had made a mistake, what would happen to them?

Summary

Organisations who are good at Information Security are those who have a more effective and engaging way of telling their story, remember the long shadow of leadership, senior leaders demonstrating that Information Security is high on the organisations agenda and firmly on their radar, others will follow. Remember, there is a Need to re-enforce and refresh employees learning. So what is your story that your employees will understand and will help you change your organisations Cyber Security culture?

Today, I have read a few news articles (which I think have been based on a guidance paper recently published by the National Cyber Security Centre, NCSC), talking about the use of passwords. The thing is, many of the articles I have read were using the premise that people were just tired out or fatigued by Cyber Security. Unfortunately, I come across many businesses who simply did not know of the Cyber Security risks, or how to take the necessary steps to protect themselves, until they had suffered a data breach. Some worrying facts :-

Password Re-use - Within the UK, your average Britons will use 22 separate passwords. Worryling they use the same login details across at least 4 separate websites! (Source: NCSC)

Those sticky notes hidden close to a device (I have seen this machine labelled onto PC in more than one organisation)

It can be a pain having to go through 2 factor authentication, or having to change beloved passwords when prompted by increased security, but there are real reasons for this approach. But its not just our personal passwords which are a cause for concern, research carried out back in 2012 (Carna 2012, where someone scanned the internet for open devices) showed that thousands of devices had their default user name and password. A lot of devices carrying the 'root' 'root', or 'admin' 'admin' for user name and password combinations. I would imagine, with the explosion in Internet of Things (IOT), the scale of the problem will have expanded tremendously.

It's easy enough to blame the end user for not taking steps to protect themselves. But, manufactures and others must do their bit to improve the Cyber Security landscape. We should not have to read about another car, medical product or similar that doesn't even have encryption (as per my small video below)...

After all its not just end users and manufacturers who have to play their part, but the online companies and websites that we trust with our data (such as the TalkTalk ICO fine earlier this week shows). So for my part, I will continue to raise the issue of Cyber Security until it is no longer needed, sorry if this causes you a little 'fatigue', but at least you will have the info to enable you to make informed choices. @bluwasp

I was talking to an acquaintance this morning and during the conversation he happened to say, "Saw the news the other day about that Yahoo hack from a few years ago, i'm not bothered, I stopped using the account years ago". So I asked him if he had deactivated the account, and erased all his emails? To which I could see the quizzical look on his face, so I then went on to explain the potential issues.

By the way it's fairly easy to deactivate a Yahoo account, as below (but remember that you will no longer get access to the emails again!).

Password Reuse.

Ok, so what are the pitfalls, of what seems like a simple approach of just ignoring the fact that you used to use an email account, and then have left it dormant. If you re-use or recycle you password (for example mypass1, mypass2), then your other accounts are vulnerable. Not forgetting, it's not just email accounts, but also those obscure sites you may have signed up to in the past, as in the example below.

So the moral when thinking about passwords, is to think of them like a toothbrush. "Don't let anybody else use it, and get a new one every six months." (Clifford Stoll)

What have you left behind?

The mail account may be linked to other accounts, or the hacker could use the email to impersonate you by signing up to other sites (ones you might not want to be associated with) or social media accounts. Also what other useful data is also stored in your old accounts, is this something that you would like a 3rd party to be able to use without your control?

And it's not just the embarrassment that could be caused if someone was to impersonate you for their own purposes, financially it could be quite costly.

Memorable Stuff.

Ok, unless your Marty" McFly (the fictional character in the Back to the Future trilogy), your memorable information is unlikely to change). For example, do you know someone who was born in more than one place? Well, your memorable answers are probably very similar to other security requests, so if a hacker has your details for one account, it may be easier to cause you issues in another.

Top Tip: Just because a site asks you to answer security questions, it doesn't mean that when you first set them up that the information has to be factually accurate. That's why my favourite colour is M0s£$^tW3sS5k.

So my advice to all those would be protagonists, deactivate old accounts now, or spend more time and potential embarrassment/loss in the future. or are you Still "not bothered"? bluwasp.

I read an article yesterday about proposals for insurance companies to obtain information in order to personalize peoples insurance premiums. This related to home and car insurance companies collecting details about customers hobbies, daily habits in order to decide how much to pay for cover.

Although I am generally skeptical about articles that talk about 'secret plans', and some of the suggested sources of data maybe a little way off, I think that it is a direction insurance companies wish to travel.

Car insurance companies already offer different premiums for younger drivers who agree to have 'black boxes' fitted to their cars which track driving performance, hours of day, location etc. The future of Internet of things will inevitably mean that more and more data will be available. On the face of it, this seems a good idea, however, as the past few months has shown us, companies (large and small), have been the victims of data loss. The more personalized data companies obtain, then there is an increased risk that 'hackers' or other unscrupulous people will obtain and misuse it. @bluwasp

Over the last few months the amount of data loss, hacked companies, stories of Malware infections have grown at an alarming rate.

Companies large and small have been victims in this lucrative area, victims having their companies reputations damaged, let alone the financial impact.

I have been sharing some of these more high profile stories on Twitter (for upto date items you can follow me at @bluwasp), with the aim of sharing awareness to allow companies and individuals alike to take steps to protect themselves.

Some high profile companies have succumbed to the threats and have paid out to the data kidnappers, in return for their data to be unencrypted. However, this does not help others, in fact it put fuel to the fire and ultimately will increase the risk further.

Rather than spending money on buying Bitcoins in the event your data gets kidnapped, spend the time and effort in backing up your data and protecting yourself. There have been cases whereby even after a ransom is paid the data has not been unencrypted.

​Ransomware can spread through infected programs, email attachments and any websites which have been affected.

But what is Ransomware?If your fully informed then no need to read further, however, I find that I am asked about this on a regular basis, Ransomware is Malware (malicious software) for data "kidnapping" (ok, it doesn't mean that the "kidnapper" takes your data and hides it in a safe house, sending you updates of it behind today's front page).

What it does tend to be is a way in which an attacker "encrypts" the victim's data (makes the data unreadable without a key) and often demands payment for the "decryption key" (a code which will allow the data to be read easily again by the victim).

There is also such things as ransomware malware programs, these are sometimes known as "cryptovirus", "cryptoworm" or "cryptotrojan". At the time of writing, 93 % of all phishing emails contained encryption ransomware, according to a report released by PhishMe. And the number of phishing emails hit 6.3 million in the first quarter of 2016, a 789 % increase over the last quarter of 2015.

"Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication." (source wiki.)

More often than not, these attackers may use one of several different methods to try get money from their victims.

Victim's data is encrypted but nothing else happens. The "data kidnapper" hopes that the victim will use search engines to find a solution and provides a site supplying anti-kidnapping software.

Victims might receive an email message as a "ransom note", where they demand money in exchange for the promise of a key. The ransom note explains that the key will expire by a certain date if the ransom is not paid, meaning that the data can never be opened again. Initially the amounts tended to be quite small, but recently the amounts have been increasing. (Larger amounts tending to be for data breach at an organisational level).

Victims are informed that they are running unlicensed software on their computer by the Police, and that the "Police" require the victim to pay an electronic fine (obviously the payment goes to the kidnapper) as its just been a ruse).

Victims screen is locked, data encrypted, and onscreen instructions informing the victim how to pay to unlock their data.

So what can you do?

Top Tips to protect yourself against data kidnapping:-

Backup data on a regular basis.

Ensure you have up-to date Firewall, Anti-virus and Patches (updates) for your software.

Do not open attachments without trusting the source.

Be careful which websites you visit and take care to only download programs from a trusted source.

If an attack does occur, format the hard drive and restore data from the backup (assuming you have taken note of Tip 1).

For businesses and organisations, employee awareness is a must. Note, carrying out simulations can be a good way to generate awareness and also alert employees to the types of techniques data kidnappers use. It is worth remembering that this awareness training should not be a one off, as employees vigilance can drop over time.

As with general Business Continuity Management, Senior Management commitment is key, so make sure they are included in any awareness training.

Report on any near misses and share them across the organisation. It is also worthwhile using up-to date case studies or examples where things have gone wrong with data breaches, or other security lapses, which have resulted in loss or poor Pubic Relations, whether that be other organisations or even dictatorships.

Just a short blog on Business Continuity Awareness Week 2016. This years theme has been Return on Investment, looking at the reasons why organisations should embrace #BCM, and how this can impact positively on the bottom line. There have been many thought provoking presentations and subject matter over the Awareness week, not least those on supply chain resilience as well as cyber crime and terrorism.

​What is fundamentally clear is that the more technologically advanced we become as a society, the more at risk we seem to become from man made threats. Spending a little effort and time in 'Peace Time' can certainly result in less risk and less financial loss should the worst risk materialize.

​Exercising once against featured strongly within the last week (although of the potential costs), this really shows the importance when carried out properly and ensuring that the learning is fed-back into the organisation and its BCMS via Debriefing .

One of the thoughts of this week has been around Changing your process of Business Continuity Management System (BCMS) from a cost of doing business to a business improvement tool. If organisations adopt this approach, then they are more likely to embrace BCM as a whole and add value rather than just applying a tick box approach.

​

​

There have been many more subjects covered, in future blogs some of these subjects will be covered in more detail.